Raising troubling questions about the reliability of government-mandated cryptography certifications used around the world, scientists have unearthed flaws in Taiwan's secure digital ID system that allow attackers to impersonate some citizens who rely on it to pay taxes, register cars, and file immigration papers.

The crippling weaknesses uncovered in the Taiwanese Citizen Digital Certificate program cast doubt that certifications designed to ensure cryptographic protections used by governments and other sensitive organizations can't be circumvented by adversaries, the scientists reported in a research paper scheduled to be presented later this year at the Asiacrypt 2013 conference in Bangalore, India. The flaws may highlight shortcomings in similar cryptographic systems used by other governments around the world since the vulnerable smartcards used in the Taiwanese program passed the FIPS 140-2 Level 2 and the Common Criteria standards. The certifications, managed by the National Institute of Standards and Technology (NIST) and its counterparts all over the world, impose a rigid set of requirements on all cryptographic hardware and software used by a raft of government agencies and contractors.

“Trivially broken keys”

The team of scientists uncovered what their paper called a "fatal flaw" in the hardware random number generator (RNG) used to ensure the numbers that form the raw materials of crypto keys aren't based on discernible patterns. Randomness is a crucial ingredient in ensuring adversaries can't break the cryptographic keys underpinning the smartcards issued to Taiwanese citizens.

Out of slightly more than 2 million 1024-bit RSA keys the researchers examined, an astonishing 184 keys were generated so poorly they could be broken in a matter of hours using known mathematical methods and standard computers to find the large prime numbers at their core. Had the keys been created correctly, breaking them so quickly would have required a large supercomputer or botnet. That even such a small percentage of keys were found to be so easily broken underscores the fragility of cryptographic protections millions of people increasingly rely on to shield their most intimate secrets and business-sensitive secrets.

"The findings are certainly significant for the citizens who have been issued flawed cards, since any attacker could impersonate them online, the research team wrote in an e-mail to Ars. "More broadly, our research should give pause to any of the many countries that are rolling out this kind of national public key infrastructure. These smart cards were certified to respected international standards of security, and errors led to them generating trivially broken cryptographic keys. If a technologically advanced government trying to follow best practices still has problems, who can get this right?"

Stacking the deck

The research is being published two weeks after documents leaked by former National Security Agency (NSA) contractor Edward Snowden outlined the covert hand intelligence agents have played in deliberately weakening international encryption standards. As a result, the NSA and its counterparts in the UK can most likely bypass many of the encryption technologies used on the Internet. Cryptographers involved in, and independent of, the research agreed that the weaknesses exposed in the paper were almost certainly the result of human error, rather than deliberate sabotage. They based that assessment on the observation that the predictable patterns caused by the malfunctioning PRNG were so easy to spot.

"Some of the primes discovered in this work are so obviously non-random that, if they were the result of deliberate weaknesses, then I'd be asking for my money back from my three-letter agency," Kenneth G. Paterson, a Royal Holloway scientist who has seen the paper, told Ars. "Because they would clearly not have been doing a very good job in hiding their footprints."

Still, the fact that Taiwan's extremely weak RNGs passed stringent validation processes is troubling. An RNG that picks prime numbers in predictable ways is in some ways the cryptographic equivalent of a blackjack croupier who arranges a deck of cards so they're dealt in a way that puts the gambler at a disadvantage. Properly implemented RNGs, to extend the metaphor, are akin to a relief dealer who thoroughly shuffles the deck, an act that in theory results in the strong likelihood the cards never have and never again will be arranged in that exact same order.

Enlarge/ A slide from a recent presentation detailing the 119 primes shared among 103 of the weak cards used in Taiwan's Citizen Digital Certificate program.

There's no way to rule out the possibility that the NSA, or intelligence agencies from other nation states, didn't already know about the vulnerability in Taiwan's crypto program or about programs in other countries that may suffer from similar weaknesses. The inability of the certifications to spot the fatally flawed RNGs suggests the standards offer far less protection than many may think against subtle flaws that either were intentionally engineered by intelligence agencies or were exploited after being discovered by them.

The researchers began their project by examining almost 2.2 million of the Taiwanese digital certificates secured with 1024-bit keys (newer cards have 2048-bit RSA keys). By scanning for pairs of distinct numbers that shared a common mathematical divisor, they quickly identified 103 keys that shared prime numbers.

A little more than 100 keys that shared primes out of a pool of 2 million makes for an infinitesimally small minuscule percentage, but in the eye of a trained cryptographer, it flags a fatal error. When generating a 1024-bit RSA key, there are an almost incomprehensible 2502 prime numbers that can be picked to form its mathematical DNA, Mark Burnett, an IT security analyst and author, estimates. That's many orders of magnitude more than the 2266 atoms in the known universe. If all these primes are properly mixed up and evenly distributed in a large digital pot—as is supposed to happen when being processed by a correctly functioning RNG—no two primes should ever be picked twice. By definition a prime is a number greater than one that has no positive divisors other than 1 and itself.

Enlarge/ A summary of the data flow leading to successful factorizations of the Digital Citizen Card used in Taiwan.

Bernstein, et al.

And yet, 103 of the keys flagged by the researchers factored into 119 primes. The anomaly was the first unambiguous sign that something horribly wrong had gone on during the key-generation process for the Taiwanese smartcards. But it wasn't the only indication of severe problems. The researchers sifted through the shared primes and noticed visible patterns of non-randomness that allowed them to factor an additional 81 keys, even though they didn't share primes. Once the primes are discovered, the underlying key is completely compromised. Anyone with knowledge of the primes can impersonate the legitimate card holder by forging the person's digital signature, reading their encrypted messages, and accessing any other privileges and capabilities afforded by the card.

I have a better way to make a random, non-predictable number. You know that white fuzz that shows up on the TV? Well, that static noise picked up by the antenna is converted into an image on your screen. At any specific moment in time you can do a JPG capture, line up all the pixels and turn that large number into a bigger base for compression. The signal from the Universe is random, right?

Unless somebody is messing with you by broadcasting known static, sure.So think smaller: All those electrons bouncing around in an electronic circuit make noise, so build a tiny device that turns that into random numbers.This happens to be more expensive than copying a piece of software.

These cards wouldn't be such a problem if governments didn't want to issue their citizens prisoner numbers at birth. Free governments should have no reason to be quantifying and identifying their citizens. There is no need for such a wasteful expenditure except control.

The concept of a government-issued identity basically arose around the Industrial Revolution. Prior to that, identities derived from being embedded in social networks (that's a fancy way of saying "everyone in your town knows you"). It works because the identity is irrevocable. Such a system has a hole in it dealing with transients of any type, since for all you know that person is trying to revoke a sullied identity elsewhere. "Good" transients like visiting soldiers or government agents have rigid norms associated with them, and violation of those norms throws you into the "bad" transient group. "Bad" transients (such as traveling snake oil salesmen, homeless people, etc.) were afforded no trust whatsoever and generally treated like crap.

The mass migrations involved with industrialization made the old system untenable. So governments stepped in with identities because the economy needed them to function.

We already have naturally irrevocable identities like iris patterns and fingerprints. The reason we don't (shouldn't) rely on them exclusively is because they are completely irrevocable even if compromised. At least governments can generate a second identity for you if absolutely needed (compromised credentials, witness protection, cover for undercover cops and spies, etc.).

"Some of the primes discovered in this work are so obviously non-random that, if they were the result of deliberate weaknesses, then I'd be asking for my money back from my three-letter agency," Kenneth G. Paterson, a Royal Holloway scientist who has seen the paper, told Ars. "Because they would clearly not have been doing a very good job in hiding their footprints."

Too smart to put such an obvious error there intentionally. Too stupid to notice such an obvious error being there. That's one hell of a sweet spot of mental capacity .

Edit: to be fair, there is no evidence the NSA is behind this. The fact remains that backdoors reduce security for everyone. Whether this is a very poorly executed backdoor or just bad review processes isn't really clear.

Since we know that the NSA is messing with this type of thing, it doesn't matter if others are as well. And if there are others, it doesn't matter if it's one or thousands. We now know that cryptographic functions we previously believed to be secure are not. It doesn't matter who we're defending ourselves against - now that we know a defense is necessary, we can respond accordingly.

So I am a bit unclear regarding the article after reading it. It appears to start out claiming that the standards themselves are broken. What would appear from the latter part though is that something went wrong in the certification process because the article indicates that the tested card does not meet the certification standards despite being certified. FTA (my emphasis added):

Quote:

But despite passing both the FIPS 140-2 Level 2 and Common Criteria standards, the RNG process used to generate the weak cards clearly didn't meet their mandated requirements. FIPS 140, for instance, specifies that output of a hardware RNG on the processor of the smartcard must (a) be fed through tests to check whether it's random and unbiased, and only then can the output (b) be used as a seed for a so-called deterministic random bit generator, which in many settings is referred to as a pseudo RNG. The hardware RNG was provided by the AE45C1, a CPU manufactured by Renesas that sits on top of the smartcard. The deterministic random bit generator was driven by the smartcard firmware provided by Chunghwa Telecom.

"It's pretty clear that neither step happened in this case," the researchers told Ars. "Even without performing step (a), step (b) should have made the keys appear individually random, even if they were not. Instead, the factored keys contained long strings of 0 bits or periodic bit patterns that suggest that step (b) was skipped, and what we see is the direct unwhitened output from the malfunctioning hardware."

It seems to me that the standard may not necessarily be broken, but rather the certification process that allowed a piece of hardware to be certified without actually meeting the criteria. Is that a correct statement or did I misinterpret something?

It seems like a fix in that case would be a process / bureaucratic correction and not necessarily a revision of the standard. It still calls into question the validity of the issued certificates but is not nearly as serious of a problem as a fundamentally flawed standard would be.

I have a better way to make a random, non-predictable number. You know that white fuzz that shows up on the TV? Well, that static noise picked up by the antenna is converted into an image on your screen. At any specific moment in time you can do a JPG capture, line up all the pixels and turn that large number into a bigger base for compression. The signal from the Universe is random, right?

Unless somebody is messing with you by broadcasting known static, sure.So think smaller: All those electrons bouncing around in an electronic circuit make noise, so build a tiny device that turns that into random numbers.This happens to be more expensive than copying a piece of software.

edit: added the word "known."

Intel created an interesting solution to the pseudo RNG in Ivy Bridge, which is based on unpredictable thermal noise inside the chip. Interesting article about it.

I have a better way to make a random, non-predictable number. You know that white fuzz that shows up on the TV? Well, that static noise picked up by the antenna is converted into an image on your screen. At any specific moment in time you can do a JPG capture, line up all the pixels and turn that large number into a bigger base for compression. The signal from the Universe is random, right?

Unless somebody is messing with you by broadcasting known static, sure.So think smaller: All those electrons bouncing around in an electronic circuit make noise, so build a tiny device that turns that into random numbers.This happens to be more expensive than copying a piece of software.

edit: added the word "known."

Intel created an interesting solution to the pseudo RNG in Ivy Bridge, which is based on unpredictable thermal noise inside the chip. Interesting article about it.

Thank you for that link, an interesting read.Some nit picking: "This circuit adjusts the charge on a set of large capacitors."Heh. A large capacitor is, to me, either a 3.1 farad one that goes BOOM at three volts or a 1930's era 0.2 micro farad saran wrap and aluminium foil all rolled up type.-"nudges the latch slightly more toward 0 whenever it produces a 1 and vice-versa."I mildly object to that, as they seem to be theorizing that "10" is more random than "11."-"[If all the cores ask for random numbers the seed is fed to a pseudorandom generator]." Yikes. Perhaps there is a pseudorandom generator that gives different values from the same seed, perhaps the article misstates the actual action, or perhaps I should look at the word "a" in "a NIST SP800-90A-based...."-Anyway, thank you, a cool read.

I have a better way to make a random, non-predictable number. You know that white fuzz that shows up on the TV? Well, that static noise picked up by the antenna is converted into an image on your screen. At any specific moment in time you can do a JPG capture, line up all the pixels and turn that large number into a bigger base for compression. The signal from the Universe is random, right?

Unless somebody is messing with you by broadcasting known static, sure.So think smaller: All those electrons bouncing around in an electronic circuit make noise, so build a tiny device that turns that into random numbers.This happens to be more expensive than copying a piece of software.

edit: added the word "known."

If the problem exists in the macro solution, it might also persist in the micro one. Maybe to solve the problem in the macro one you would need a vibrating width or rotating cage to stretch the signal as it's being read to confuse the broadcaster. Probably, some mitigating solutions could be adapted in different ways for the micro solution. I'm just wondering what you could throw together in a garage to make it simple and cheap.

I have a better way to make a random, non-predictable number. You know that white fuzz that shows up on the TV? Well, that static noise picked up by the antenna is converted into an image on your screen. At any specific moment in time you can do a JPG capture, line up all the pixels and turn that large number into a bigger base for compression. The signal from the Universe is random, right?

Unless somebody is messing with you by broadcasting known static, sure.So think smaller: All those electrons bouncing around in an electronic circuit make noise, so build a tiny device that turns that into random numbers.This happens to be more expensive than copying a piece of software.

edit: added the word "known."

If the problem exists in the macro solution, it might also persist in the micro one. Maybe to solve the problem in the macro one you would need a vibrating width or rotating cage to stretch the signal as it's being read to confuse the broadcaster. Probably, some mitigating solutions could be adapted in different ways for the micro solution. I'm just wondering what you could throw together in a garage to make it simple and cheap.

Please enlighten me. What I understand, in order to encrypted an ID card or a document, the steps are: a) generated a private key and, b) a public key. When a police officer was there to checked on this person's identity, the officer slights this guy's ID card in his/her card reader to retreated the information from the ID card with a public key has already per-installed on all the readers on their police patrol cars and on every police stations' card readers. That means that, it only needs to share one set of common public key to decrypted any of the millions of ID cards out there and that is it. Why would it be necessary for each identification card to have its own public key is what I don't understand. And how is the card readers on the patrol cars to know who is who and which key is belonged to which ID for its decryption is beyond me.

Do they really need one key to one card and for so many million different sets of public keys for everyone of their cardholders? It seems it gets too complicated and also a wasted of effort for just an identification card. I know.. I know.. the whole process was there to defeat identification theft. It says on the very first paragraph. But still, it is not like there is a few million USD for anyone to grab once the codes were cracked.

What I find interesting is not only did the smartcards generate duplicate primes, but they generated duplicate "weak" primes.

OTOH, this may be a consequence of the investigation itself, i.e. the researchers start by checking the keys for weak primes, but in the process they discover the cards are generating duplicate primes. I wonder if the researchers spent the time cracking stronger primes if they would also find similar levels of duplication.

I have a better way to make a random, non-predictable number. You know that white fuzz that shows up on the TV? Well, that static noise picked up by the antenna is converted into an image on your screen. At any specific moment in time you can do a JPG capture, line up all the pixels and turn that large number into a bigger base for compression. The signal from the Universe is random, right?

Random.org is a website that produces "true" random numbers based on atmospheric noise.

I have a better way to make a random, non-predictable number. You know that white fuzz that shows up on the TV? Well, that static noise picked up by the antenna is converted into an image on your screen. At any specific moment in time you can do a JPG capture, line up all the pixels and turn that large number into a bigger base for compression. The signal from the Universe is random, right?

Random.org is a website that produces "true" random numbers based on atmospheric noise.

Unfortunately, from a security standpoint, both suffer the same problem. You can't be sure the static or numbers weren't actually sent by an attacker.

It seems to me that the standard may not necessarily be broken, but rather the certification process that allowed a piece of hardware to be certified without actually meeting the criteria. Is that a correct statement or did I misinterpret something?

It seems like a fix in that case would be a process / bureaucratic correction and not necessarily a revision of the standard. It still calls into question the validity of the issued certificates but is not nearly as serious of a problem as a fundamentally flawed standard would be.

Mostly correct.

The research paper indicates that FIPS mode was not enabled on some of the cards.

The ability to enable and disable "FIPS mode" is a common feature in hardware with secure elements, such as smart cards and Hardware Security Modules. FIPS mode may reduce performance, restricts the algorithms you can use and can increase timeframes during solution development phase (for instance, by restricting the ability to export key material for backup).

Why was FIPS mode disabled on only some cards? Manufacturing error, administrative errors and user errors all come to mind.

In the original article, the researchers suggest that the security industry move to "stronger certifications that prohibit error-prone APIs and that include assessments of RNG quality". Practical concerns aside, I agree.

I have a better way to make a random, non-predictable number. You know that white fuzz that shows up on the TV? Well, that static noise picked up by the antenna is converted into an image on your screen. At any specific moment in time you can do a JPG capture, line up all the pixels and turn that large number into a bigger base for compression. The signal from the Universe is random, right?

Random.org is a website that produces "true" random numbers based on atmospheric noise.

Please forget this silly idea that "Randomness" makes all your crypto problems better. It doesn't matter how random it is if somebody else (e.g. random.org) knows the numbers generated. Similarly it doesn't matter if you just pick one "non-randomly" if nobody else can ever figure out your guess, it is unpredictability (by an attacker) that counts, "randomness is just a very good way of achieving it.

I have a better way to make a random, non-predictable number. You know that white fuzz that shows up on the TV? Well, that static noise picked up by the antenna is converted into an image on your screen. At any specific moment in time you can do a JPG capture, line up all the pixels and turn that large number into a bigger base for compression. The signal from the Universe is random, right?

Unless somebody is messing with you by broadcasting known static, sure.So think smaller: All those electrons bouncing around in an electronic circuit make noise, so build a tiny device that turns that into random numbers.This happens to be more expensive than copying a piece of software.

edit: added the word "known."

Intel created an interesting solution to the pseudo RNG in Ivy Bridge, which is based on unpredictable thermal noise inside the chip. Interesting article about it.

Thank you for that link, an interesting read.Some nit picking: "This circuit adjusts the charge on a set of large capacitors."Heh. A large capacitor is, to me, either a 3.1 farad one that goes BOOM at three volts or a 1930's era 0.2 micro farad saran wrap and aluminium foil all rolled up type.-"nudges the latch slightly more toward 0 whenever it produces a 1 and vice-versa."I mildly object to that, as they seem to be theorizing that "10" is more random than "11."-

"[If all the cores ask for random numbers the seed is fed to a pseudorandom generator]." Yikes. Perhaps there is a pseudorandom generator that gives different values from the same seed, perhaps the article misstates the actual action, or perhaps I should look at the word "a" in "a NIST SP800-90A-based...."-Anyway, thank you, a cool read.

edit: changed "actually" to "actual."

The Ivybridge RNG always feeds through the PRNG (AES-CTR) and that is fed from an AES-MAC conditioner that is run over the hardware output. Actually trying to get random data from a bit of hardware is quite hard. The hardware could be effected by voltage fluctuations or temperature or manufacturing defects, that's why you need constant self tests/self tuning. You actually want to feed though a PRNG for just that reason (can help filter out subtle bias that the BIST hardware misses).

Oh, don't be silly. "1111111111111111111111111111111111111111111111111111111111111...." is _so_ totally random because the odds of that showing up on thrown dice is so zilch

Please note that I said I "mildly object."

But's that's the problem they are trying to solve. It is very hard to keep such a design in its unstable state. You are correct that their approach will bias the output but if they didn't do you it you would get a never ending sequence of '1's (or its inverse). Hardware RNGs are not more reliable than software PRNGs so a good software PRNG occasionally seeded from several different hardware sources will probably give the best (practical) security we can ever realistically hope to achieve in general purpose systems.

"It is very hard to keep such a design in its unstable state."My understanding of such is from late in the last century. From way back then one does not attempt to do so. One just amplifies the random noise that is present always, and converts that into, perhaps, monkey audio and does the obvious.Again, please note that I said that I "mildly object" about that.

"It is very hard to keep such a design in its unstable state."My understanding of such is from late in the last century. From way back then one does not attempt to do so. One just amplifies the random noise that is present always, and converts that into, perhaps, monkey audio and does the obvious.

That is what they attempt to do ideally, in reality to extract that noise (which is tiny) you need some kind of metastable oscillator/amplifier (like the sense amps in DRAM). You can do what you suggest with very tightly matched components but any slight bias voltage across a component (e.g. due to tiny manufacturing differences) and it will get stuck simply because thermal noise is so small in magnitude. I am guessing the tolerances of FETs on Intel's 22nm isn't very tight at all and it is why they have to keep adjusting the cap voltages at run time and in turn that gives biased output hence all the AES post processing.

Quote:

Again, please note that I said that I "mildly object" about that.

I know, but you actually raise an very important and often overlooked point, these designs are very fragile and need a lot of countermeasures (e.g. undervolt/overvolt protection) to maintain security. Designing these things is very hard so I only hope Intel did it right because FIPS certification doesn't appear to be worth the paper it written on these days...